Microsoft Privacy Case: What's At Stake?

A ruling that Microsoft must turn over emails in a foreign data center could cost US businesses billions and make a mess of international law, experts say.

Location Analytics + Maps: 10 Eureka Moments

(Click image for larger view and slideshow.)

Microsoft executive VP and general counsel Brad Smith vowed this week to fight US District Court Judge Loretta A. Preska's ruling that the company must turn over customers' emails to the government, even though the data is stored in a Microsoft data center in Ireland. The verdict won't be immediately applied, because Preska, who unexpectedly issued a bench ruling, stayed her decision so that Microsoft can appeal. Nevertheless, many are concerned that if the ruling becomes an established precedent, it will spell trouble for not only privacy rights and international law, but also for the US tech market.

In the wake of the NSA surveillance scandal, some foreign governments and businesses have been hesitant to use US tech products. At this time last year, experts estimated that the damage to the US tech sector's reputation might cost domestic cloud companies $45 billion. Since then, Microsoft, Google, Cisco, and other large tech players have denied installing NSA backdoors in their products. Many have also enjoyed strong cloud momentum, as more businesses have embraced cloud infrastructure and hosted services to improve bottom lines.

Nevertheless, privacy and security concerns remain prevalent, especially on the international scene, where countries including China and Russia are removing US products from government use, and replacing them with local alternatives. There's a lot of political theater mixed into these concerns over data security and US trustworthiness, of course, but make no mistake: Decisions such as Preska's stoke legitimate fears.

"There's a great deal of legal uncertainty at the moment," Kate Westmoreland, a lawyer and fellow at Stanford Law School said in a phone interview. "Either way this decision unfolds in the end, the important thing is to have some business certainty."

Westmoreland cautioned in a blog post that the ruling doesn't grant the US government unrestricted access to cloud data. The ruling applies only to US-based companies, and the issue only came before Preska because another judge found probable cause to issue a search warrant in the first place. It's too soon to tell if the ruling is a good or bad thing, she wrote, because the case's outcome is less important than the legal rationale that supports it. That rationale could evolve as the case winds through years of appeals.

In the interview, Westmoreland explained some of the potential complications. "Countries will be looking to each other to see how they're handling these things. The way the US courts behave, other countries will be looking at that as a way they might approach it."

"Lost business is an obvious outcome" if the ruling is implemented, but the ramifications for international law could be much worse, according to Morgan Reed, executive director at the Association for Competitive Technology (ACT). In an interview, he told us that if the US government can compel Microsoft to turn over data in an Irish data center, "European governments may say, 'We can extract data from US citizens anywhere in the world.' "

This sort of legal interpretation could lead to a "Balkanization of the Internet," he said, that would threaten the Web's unique identity. He also worries the ruling indicates that "storing data with a company in the US essentially turns you into a US citizen" in terms of the government's reach, but not necessarily its due process protections. "Not everyone has access to the courts in the same way we do. That's unnerving."

Elad Yoran, CEO of cloud security vendor Vaultive, said even if businesses are concerned about government overreach, they shouldn't resist the cloud. "If anything is true of Microsoft's cloud, it's that it's very secure," he told InformationWeek. "The problem is, even if Microsoft builds the widest moats and highest walls, when the judge says, 'Turn the data over,' Microsoft has to. It's a question of control."

Yoran suggests that businesses should apply persistent encryption to data before moving content to the cloud, and that they hold onto the keys themselves. "The golden rule with encryption is, whoever controls the keys controls the data," he said, illustrating that even if Microsoft is forced to give a government your encrypted data, that government could have no way to read it.

Westmoreland also endorses encryption: "It means power is back with the user. There are limitations on being able to compel users to give up those keys."

Yoran, Westmoreland, and Reed each agree that the issue could take years to resolve. According to Reed, the inevitability of a lengthy appeals process might explain why Preska issued a stayed bench ruling. "This case was always going up," he says. "The ruling was a recognition that this was not the final word on this decision. The judge said, 'Why don't I speed it along?'

"It's unfortunate she did that by ruling against innovative tech companies."

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

Thanks for your thoughtful response, Michael. You make many fair points that prove I was too quick to pass judgment. FWIW, you definitely sound "old school" -- and I mean that in a positive way -- when it comes to objective journalism.

Regarding tech company losses over the NSA (oh very well) scandal, I'll continue to wait for the numbers. Years spent working in Investor Relations for a F100 telecom operator taught me that companies can fabricate all manner of devices to explain a down quarter, half or year -- "seasonal variations," "an unexpectedly rough winter," and now, I suppose, "foreign distrust of U.S. companies" involved, even if tangentially, in NSA spying. There were occasions in IR when I'd have loved having a readymade excuse like that.

Returning to the core issue of the Silicon Valley vs. NSA flap, as well as the current Microsoft lawsuit, there are three ironies that appear to have escaped notice -- though if you've written on these items and I missed the coverage, I apologize in advance:

Tech companies themselves are among the biggest collectors of customers' personal data, which they either sell to others for advertising purposes, or massage with real time predictive analytics solutions to determine which individuals will churn, which will remain loyal, how to boost customer lifetime value via tailored offers -- and which channels are most likely to succeed in upselling the customer. If the NSA exceeded its limits, it at least had an understandable motive: saving lives. Post 9-11, the marching order to the U.S. intelligence community was to do whatever it took to prevent such a tragedy ever happening again. One unfortunate result: massive collection of metadata under Section 215 of the Patriot Act. Congress is at work on "NSA reform." But however that goes, tech companies will continue to get off scott free for gathering our personal data. Their goal: profits.

Tech leaders including Cisco, Alcatel-Lucent, Ericsson, Juniper and others all manufacture lawful intercept hardware, available in-country or for export, that is used by law enforcement and intelligence agenies, including in some countries with despotic regimes. It's a competitive and lucrative market, i.e., tech companies profit here, too. Any doubts and I'll make be happy to provide the make and model of LI devices manufactured by the aforementioned quartet.

Much has been made of the assertion that NSA programs such as PRISM have produced little in the way of results. Nothing has been made of the fact that, to date, no one has discovered evidence of harm done to a single individual. Notwithstanding ethereal arguments about the potential risks to "privacy," if NSA's programs are a crime they would appear to be victimless.

Thanks for reading, and for the constructive criticism. A few thoughts:

"'NSA Scandal.' Presumably you're referring to the greatest breach of national security in U.S. history?" Sure, you can call it that, if you want. Frankly, I think at this point that the "is all the surveillance justified" argument is well-trod ground. But I'll concede I could have referenced the rationale voiced by the NSA and other agencies, even if it's implicit. Nevertheless, I think "scandal" is appropriate. Even if you think the NSA's programs are necessary, was it not scandalous that a contract employee could single-handedly execute "the greatest breach of national security in U.S. history?" The word "scandal" can apply to both government overreach, or the incompetence with which it communicated top-secret information to people less trustworthy than their bosses supposed. Take your pick.

"If the numbers don't exist, let's drop this argument." That stat isn't beyond reproach, but it wasn't really presented like it was. The paragraph states that even though analysts were predicting huge revenue losses, many cloud companies have nevertheless achieved great momentum (while also continuing to refute some allegations). If there's any subtext there, it's that privacy concerns haven't stopped Microsoft, Google, Amazon et al from raking in the cash. The question is whether they'd be raking in more cash if the Snowden leaks hadn't occurred. The tech companies certainly say so. I received this statement today, for instance, from Carson Sweet, CEO of CloudPassage: "As we've worked with EU-based enterprises on cloud security, we've seen a marked drag in public cloud IaaS adoption as the result of privacy concerns. Most of our international customers lean toward private cloud adoption as a result, and many are waiting for non-US-based cloud providers before adoption public cloud IaaS." As your comment indicates, the tech companies aren't necessarily disinterested, so you can take their position with a grain of salt, but it's one thing to be skeptical, and another to say the concerns aren't worth discussing. The empirical, irrefutable numbers you seem to want might not exist yet, but I don't think you can just "drop" the concern.

Russia and China: The economic and political complexities among China, Russia and the United States are significant; my reference to "political theater" was meant to allude to sanctions and all the rest while maintaining a tight scope on this specific case-- but perhaps I chose too flippant a term. But even if those factors are significant, so are the governments' efforts to ditch Microsoft products. These efforts arguably use privacy concerns as an excuse to promote local agendas, so there's still some more political murkiness there. But I'll let you convince Microsoft CFO Amy Hood that, "The idea of shedding a tear over lost sales to either nation is laughable." I'll also let you convince the majority of Microsoft investors.

To be clear, I'm not debating your ethical stance here. But it's impractical to assume Microsoft will simply shrug and say, "Whatever, we don't care, China and Russia are run by people we don't like, so good riddance." Microsoft execs have repeatedly cited China as an essential growth market, and though the IT decisions of its government don't dictate the rhythms of the country's larger market, Microsoft doesn't find this topic "laughable."

Well, it depends. Users can be different than companies. Per the Stored Communications Act, a lot of the justification for companies having to turn over information derives from the fact that customers willingly gave their information to the company in the first place. Transmitting one's data to a third party, at least in some contexts, is legally tantamount to waving your expectation that privacy over that data will be respect. It might sound insane, but it's what the courts are working with, until we have clearer and more modern legal language.

But an individual user who holds the keys hasn't transmitted those keys to a third party, which muddles things, at least regarding the SCA. Westmoreland also told me that your right against self-incrimination could help you to withstand government requests for encryption keys.

I doubt the U.S. would physically violate another country's sovereignty over something like an email, but I imagine the government could impose all kinds of financial penalties, and potentially charge Microsoft employees in some way.

The customer in question is not publicly identified, nor is his country of origin. The data that tech companies are allowed to share regarding government requests is far, far from complete, but suffice to say, the government doesn't just ask about U.S. citizens. The impression I got talking to the people cited in this article is that the final legal rationale will be quite important. For example, even if the case does involve a U.S. citizen (which again, isn't clear), the ruling could still leave open the door for international searches. And if the case involves a foreign citizen, then the issue is academic. It's not like there's been a shortage of bizarre justifications coming out of the judiciary lately, though the courts have been kind of unpredictable regarding privacy and warrants--e.g. the Supreme Court's recent cell phone ruling increased privacy protections. Judges use smartphones, and judges use email too, after all.

As for whether the U.S. "allows" Russia or Iran to behave similarly-- that's the potential concern, that U.S. will set a precedent for far-reaching searches of electronic data, and that other countries will base their policies similarly.

"He also worried the ruling indicates that 'storing data with a company in the U.S. essentially turns you into a U.S. citizen.'" Is that true? I had been assuming that US prosecutors were investigating a US resident in this case. The article doesn't say anything about the residency or citizenship of the investigation subject. It is totally unacceptable for a US police agency or prosecutors to a pursue a foreign resident in such a manner. Does the US allow Russia and Iran to investigate US citizens in this manner? Of course not.

One point I haven't seen brought up yet is enforcement. If Microsoft refuses to hand over the information, does the justice department plan to invade Ireland and violate long held international treaties? I think not. Laws are only as strong as the enforcement that follows them.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.

Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."